Wi-Fi virus: Much ado about (almost) nothing

Researchers at the University of Liverpool made a splash in the media two weeks ago when they announced that they had demonstrated the first virus to infect a wireless network.

In a laboratory setting, the virus, dubbed Chameleon, moved from wireless access point to wireless access point, and while it didn’t affect the network, it did report the credentials of connected users.

Apparently, however, the virus was not able to infect access points that were encrypted and password protected. So basically what the researchers demonstrated was that vulnerable networks are … well … vulnerable.

"First, what they did is theoretical. They haven't proved to anybody that they can do it," noted Martin Lindner, principal engineer in the CERT Division of the Carnegie Mellon University Software Engineering Institute.

“What I think they're alluding to is that they can compromise access points themselves. But that would be no different than compromising a PC, a router or any other device on the network. The new part is that they are talking about taking control of a piece of hardware that most people don't really think is worth taking control of.”

And in any case, Lindner said, the security community is already well aware of the vulnerability of access points.

“If I'm the IT guy at an agency, I should have a regimen in place that tracks what access points I own and operate, and I’ll be surveying the building on a regular basis looking for things that claim to be my network that I don't know about,” Lindner said. “If you are doing your due diligence looking for rogue access points, you have little risk that one of your employees is going to connect to a network you don't control.”

If there’s a lesson to be learned from Chameleon – apart from the obvious one not to assume you’re secure on a public Wi-Fi network – it is the importance of implementing end-to-end encryption.

“You still might have WPA2 for wireless encryption, but you then would be tunneling a direct path between the client and the server using end-to-end encryption. So even if the guy had control of the access point, the information would still be garbage,” Lindner said.

Unfortunately, Lindner added, some federal agencies have lagged in implementing end-to-end encryption. “It's probably not as prevalent as it could be,” he said. “But it is clearly on the radar.”

Another thing that would help is adoption of IPv6, which natively supports end-to-end encryption. “There is a push – slow, but it is there – for IPv6,” Lindner noted.